Processor Requests

When processing requests, there are two options to select in step 3 of the Request Wizard: Controller and Processor. This article walks through the request flow if you select Processor during this step.

Controllers

Controllers control the procedures and purposes of data usage. The controller dictates how and why the data is going to be used. Controllers are the main decision-makers, meaning they are in control by specifying how the data is going to be used by the processor. You exercise overall control in what data to process and why. If the request comes from someone you contact directly like a sales lead or customer – you are a controller.

Processors

Processors process any data that the controller gives it and acts on instructions. The processor is what the controller chose to use and process the data with. Even 3rd party services for processors don’t own the data that they process or control. This means that the data processor is bound by the instructions given by the controller. If you don't directly contact the requester; one of your customers does. – you are a processor.

Processor Requests

Most of how a request flows through DataGrail is the same for a Controller or Processor requests, but there are a few differences throughout the lifecycle. The first main difference is how the request is received. For processor requests, you can only receive them via email intake.

Once you have received the email for this request and it has been forwarded into DataGrail, the next difference you’ll see is in step 4 of the Request Wizard. In this step, two email fields are required compared to the one field on a Controller request. The labels for each identify what email should be added:

• Data Subject Email: This is the email address of the data subject and will be utilized when retrieving or deleting data from your systems.
• Controller: This is the email address for the Controller of this data subject’s data. As a processor, you are taking action on this data per the controllers request. The main thing to highlight here is all email communication from DataGrail, including email verifications and the results email, will be sent to this email address.

Note: The Data Subject Email address and the Controller address are required to be different

Once you process the privacy request through the Wizard, it will follow the privacy request lifecycle (Access or Deletion) flow through DataGrail. The data subject’s email will be utilized to retrieve or delete records just as it would with a Controller request.

The next difference you will see while processing the request is within the Request UI. There are some minor differences in the information presented on a Processor request (e.g. the Data Requester’s Email).

After processing the request through the regular privacy request lifecycle, the last difference between the Processor flow and the Controller flow is that the final results email will be sent to the Controller’s email address (listed as the Data Requester Email in the screenshot above).